The government of Kosovo is currently preparing a new surveillance law that will turn Kosovar network operators and service providers into de facto agents of the Kosovo Intelligence Agency, granting authorities real-time access to communications data without proper oversight or consideration for the right to privacy.
The Law on Interception of Telecommunication will require network operators and service providers to supply infrastructure to allow the Kosovo Intelligence Agency – as well as police and customs agents – to obtain real-time access to all data related to phone calls, electronic communications (emails as well as internet telephony) and geolocation. Privacy International strongly condemns the draft of the law granting such carte-blanche access, and will be writing in the coming days to the Kosovar government, demanding a review of some of the law's most concerning aspects.
The draft law also introduces mandatory data retention, as network operators and service providers are required by the legislation to keep all existing data relating to every subscriber for at least 12 months. What's worse, any data that has been accessed during this 12-month period can be stored for an indefinite period of time.
The Kosovar government promises that the proposed law will be in compliance with European legislation. However their legal justifications are shaky at best, resting on outdated existing laws, including one dating back to 1995, or the recently invalidated 2006 Data Retention Directive, which was struck down due its blatant interference with the right to privacy.
The shadowy land of data retention
The Law on Interception of Telecommunication will allow the Kosovar authorities to obtain access to real-time interception of all data available regarding phone and electronic communications. The network operators and service providers have no right to decline and must not warn or notify users that their communications are being intercepted – even after the interception has concluded. There is currently no specific requirement in the law that a judge must authorize the issue of an order.
More worryingly, the draft law requires network operators and service providers to store a broad set of data on all communications passing through their systems for 12 months. The data retained will include:
- All data allowing the identification of the source of a communication (phone, emails and internet telephony)
- All data allowing the identification of the destination of a communication
- Date and time of start and end of phone communications
- Date and time of the log-in and log-off of the Internet access service
- IP addresses and user IDs for online communications
- Date and time of the log-in and log-off of the email service or internet telephony service
- Data identifying the geographic location of cell phones during the period for which the data is retained
Another problematic issue with the law is the utter lack of transparency on data gathering. Users will not be notified that their data has been collected, and the law further stipulates that “no information on the manner how interceptions are carried out shall be reported or in any other way made available to the public.”
The draft also vaguely mentions that the Kosovo Intelligence Agency will have its own interception interface in their premises regulated solely by the Kossovar law on intelligence agencies. This opaque mention obviously raises a whole other set of concerns on data gathering in Kosovo, including the intertwined relationship between network operators and authorities, as well as any oversight of the program.
Compliance with European laws cannot justify unlawful surveillance
As Article 1 of the law notes that the draft law will take into account three European laws pertaining to data retention, interception of telecommunications and cybercrime, such laws cannot serve as a justification or excuse for the introduction of surveillance measures that undermine human rights.
Member of the Kosovar government have been relying on Brussels to ease the concerns of Kosovar citizens, as the country is a candidate to join the EU. Yet compliance with European laws must not be used as a shield for ushering in laws that seriously undermine privacy rights.
Indeed, following the Snowden revelations European member states have displayed increasing awareness of risks that communications surveillance poses to human rights. The revelations had triggered outrage from all sides of the political spectrum and an inquiry was conducted where experts were interviewed to allow MEPs to reflect on the current state of mass surveillance. Edward Snowden was himself invited to discuss his own experience.
Reflective of this new attitude, on 8 April 2014 the European Court of Justice invalidated the 2006 Data Retention Directive, establishing that mandatory data retention, in the absence of restrictions and strict safeguards, violates the right to privacy enshrined in Article 8 of the European Convention of Human Rights. Ironically enough it is this very Directive – now obsolete – that the Kosovar government refers to in its draft of the law on the interception of telecommunications.
Joining the European Union should be an opportunity for States to increase their citizens' enjoyment of human rights, not diminish it. Kosovo must cease trying to disguise its expansion of surveillance powers as simple acts of compliance with European law, and instead follow the lead of other European states towards greater accountability and transparency around communications surveillance.